Re: [ovs-dev] [PATCH ovn] northd: Set REGBIT_CONNTRACK_COMMIT earlier.

Mon, 28 Apr 2025 06:48:39 -0700 

On 4/28/25 05:49, Dumitru Ceara wrote:

On 4/25/25 9:16 PM, Mark Michelson via dev wrote:

REGBIT_CONNTRACK_COMMIT determines if a packet will be committed to
conntrack when it reaches the STATEFUL stage of a logical switch. When
stateful ACLs are present, the goal is to have this bit set for all
traffic. However, if the packet hit only "pass" ACLs, then the packet
was being allowed but not being committed to conntrack.

This patch addresses the error by setting REGBIT_CONNTRACK_COMMIT during
the ACL_HINT stage. Any time we set REGBIT_ACL_HINT_ALLOW_NEW, we also
set REGBIT_CONNTRACK_COMMIT. If the packet gets denied by ACLs, then the
packet will get dropped or rejected before REGBIT_CONNTRACK_COMMIT is
used. If the packet is allowed (statelessly, statefully, or by default),
then the packet will be committed to conntrack.

Reported-at: https://issues.redhat.com/browse/FDP-1321

Signed-off-by: Mark Michelson <mmich...@redhat.com>
---


Hi Mark,

Thanks for the fix but for some reason this patch is a bit corrupted.  I
manually applied it and pushed it for CI in my fork here:

https://github.com/dceara/ovn/tree/refs/heads/review-pws454250-tier-acl-commit

ovn-k CI: https://github.com/dceara/ovn/actions/runs/14704219132
ovn CI: https://github.com/dceara/ovn/actions/runs/14704219144


  northd/northd.c     |  20 +++---
  tests/ovn-northd.at | 172 ++++++++++++++++++++++----------------------
  tests/system-ovn.at | 120 +++++++++++++++++++++++++++++++
  3 files changed, 217 insertions(+), 95 deletions(-)

diff --git a/northd/northd.c b/northd/northd.c
index 74792e38b..9f66c7469 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -6368,10 +6368,16 @@ build_acl_hints(const struct ls_stateful_record 
*ls_stateful_rec,
          /* New, not already established connections, may hit either allow
           * or drop ACLs. For allow ACLs, the connection must also be committed
           * to conntrack so we set REGBIT_ACL_HINT_ALLOW_NEW.
+         *
+         * All new traffic should be committed to conntrack if there are
+         * stateful ACLs present, so set REGBIT_CONNTRACK_COMMIT here to
+         * ensure that the traffic is committed to conntrack in the STATEFUL
+         * stage.
           */
          ovn_lflow_add(lflows, od, stage, 7, "ct.new && !ct.est",
                        REGBIT_ACL_HINT_ALLOW_NEW " = 1; "
                        REGBIT_ACL_HINT_DROP " = 1; "
+                      REGBIT_CONNTRACK_COMMIT " = 1; "
                        "next;", lflow_ref);
/* Already established connections in the "request" direction that 
@@ -6379,13 +6385,15 @@ build_acl_hints(const struct ls_stateful_record 
*ls_stateful_rec,
           * - allow ACLs for connections that were previously allowed by a
           *   policy that was deleted and is being readded now. In this case
           *   the connection should be recommitted so we set
-         *   REGBIT_ACL_HINT_ALLOW_NEW.
+         *   REGBIT_ACL_HINT_ALLOW_NEW. Since we want traffic recommitted
+         *   in this case, we also set REGBIT_CONNTRACK_COMMIT.
           * - drop ACLs.
           */
          ovn_lflow_add(lflows, od, stage, 6,
                        "!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1",
                        REGBIT_ACL_HINT_ALLOW_NEW " = 1; "
                        REGBIT_ACL_HINT_DROP " = 1; "
+                      REGBIT_CONNTRACK_COMMIT " = 1; "
                        "next;", lflow_ref);


I'm not sure this is correct.  This matches on sessions that were
established at some point (so there was an ACL that allowed them) but
later an ACL change happened and the new set of ACLs doesn't allow the
sessions anymore.

When the ACL change happened ct_mark.blocked was already set to 1 so we
don't need to update these sessions.

However later, in build_stateful(), we assume that if
REGBIT_CONNTRACK_COMMIT == 1 we should recommit (with ct_mark.blocked =
0) which "unblocks" these sessions, breaking ACL behavior.
My change is based on comments in the code. Prior to my patch, the comment above this section says: 

  /* Already established connections in the "request" direction that
   * are already marked as "blocked" may hit either:
   * - allow ACLs for connections that were previously allowed by a
   *   policy that was deleted and is being readded now. In this case
   *   the connection should be recommitted so we set
   *   REGBIT_ACL_HINT_ALLOW_NEW.
   * - drop ACLs.
   */

Then, in consider_acl(), there is this comment:

   * It's also possible that a known connection was marked for
   * deletion after a policy was deleted, but the policy was
   * re-added while that connection is still known.  We catch
   * that case here and un-set ct_mark.blocked (which will be done
   * by ct_commit in the "stateful" stage) to indicate that the
   * connection should be allowed to resume.
So it seems like the whole idea behind REGBIT_ACL_HINT_ALLOW_NEW in this particular scenario is to re-commit the packet, setting ct_mark.blocked = 0 in the process. The reasoning is that the session was allowed, then the policy was removed, resulting in the packet being blocked. Then the policy was re-added, resulting in the packet needing to be re-committed.
So I think this won't break ACL behavior, but will maintain the current behavior for the obscure case where ACLs are added, removed, and then re-added.
One aspect about REGBIT_ACL_HINT_ALLOW_NEW is that it requires the packet to re-match ACLs before being allowed. So in the case where the packet should be dropped still (because the ACL was removed), then the packet should still end up being dropped since the packet will not match the removed ACL. 



I was about to suggest only setting REGBIT_CONNTRACK_COMMIT = 1 in this
case if ct_mark.blocked == 0 but I'm afraid that might cause all packets
in the original direction that match allow ACLs to be committed.

There might still be a way to do this in the hint stage but I'm not so
sure it's that easy.

Maybe we should change the code that handles "pass" action instead so
that it behaves as if action was "allow-related" if the ACLs tier is
equal to the max tier for that switch?
I can certainly go with something like that. My thought here was that the way I went about it makes it so that no matter what changes happen at the ACL evaluation or action stages, the packets will get committed to conntrack in the STATEFUL stage.
/* Not tracked traffic can either be allowed or dropped. */ 
@@ -7041,7 +7049,6 @@ consider_acl(struct lflow_table *lflows, const struct 
ovn_datapath *od,
                        acl->match);
ds_truncate(actions, log_verdict_len); 
-        ds_put_cstr(actions, REGBIT_CONNTRACK_COMMIT" = 1; ");
if (smap_get_bool(&acl->options, "persist-established", false)) { 
              const struct sbrec_acl_id *sb_id;
@@ -7477,22 +7484,17 @@ build_acls(const struct ls_stateful_record 
*ls_stateful_rec,
          ds_put_format(&match, "ip && ct.est && ct_mark.blocked == 1");
          ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, 1,
                        ds_cstr(&match),
-                      REGBIT_CONNTRACK_COMMIT" = 1; "
                        REGBIT_ACL_VERDICT_ALLOW" = 1; next;",
                        lflow_ref);
          ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, 1,
                        ds_cstr(&match),
-                      REGBIT_CONNTRACK_COMMIT" = 1; "
                        REGBIT_ACL_VERDICT_ALLOW" = 1; next;",
                        lflow_ref);
- const char *next_action = default_acl_drop 
-                             ? "next;"
-                             : REGBIT_CONNTRACK_COMMIT" = 1; next;";
          ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL_EVAL, 1, "ip && !ct.est",
-                      next_action, lflow_ref);
+                      "next;" , lflow_ref);
          ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL_EVAL, 1, "ip && !ct.est",
-                      next_action, lflow_ref);
+                      "next;", lflow_ref);
/* Ingress and Egress ACL Table (Priority 65532). 
           *
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index 82dfe92fd..82850e099 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -2442,13 +2442,13 @@ ovn-sbctl dump-flows sw1 > sw1flows3
  AT_CAPTURE_FILE([sw1flows3])
AT_CHECK([grep "ls_out_acl" sw0flows3 sw1flows3 | grep pg0 | ovn_strip_lflows], [0], [dnl 
-sw0flows3:  table=??(ls_out_acl_eval    ), priority=2001 , match=(reg0[[7]] == 1 && 
(outport == @pg0 && ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+sw0flows3:  table=??(ls_out_acl_eval    ), priority=2001 , match=(reg0[[7]] == 1 && 
(outport == @pg0 && ip)), action=(reg8[[16]] = 1; next;)
  sw0flows3:  table=??(ls_out_acl_eval    ), priority=2001 , match=(reg0[[8]] == 1 && 
(outport == @pg0 && ip)), action=(reg8[[16]] = 1; next;)
  sw0flows3:  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[10]] == 1 && (outport 
== @pg0 && ip4 && udp)), action=(reg8[[18]] = 1; ct_commit { ct_mark.blocked = 1; 
ct_label.obs_point_id = 0; }; next;)
  sw0flows3:  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[9]] == 1 && (outport 
== @pg0 && ip4 && udp)), action=(reg8[[18]] = 1; next;)
  sw0flows3:  table=??(ls_out_acl_eval    ), priority=2003 , match=(reg0[[10]] == 1 && (outport 
== @pg0 && ip6 && udp)), action=(reg8[[18]] = 1; ct_commit { ct_mark.blocked = 1; 
ct_label.obs_point_id = 0; }; next;)
  sw0flows3:  table=??(ls_out_acl_eval    ), priority=2003 , match=(reg0[[9]] == 1 && (outport 
== @pg0 && ip6 && udp)), action=(reg8[[18]] = 1; next;)
-sw1flows3:  table=??(ls_out_acl_eval    ), priority=2001 , match=(reg0[[7]] == 1 && 
(outport == @pg0 && ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+sw1flows3:  table=??(ls_out_acl_eval    ), priority=2001 , match=(reg0[[7]] == 1 && 
(outport == @pg0 && ip)), action=(reg8[[16]] = 1; next;)
  sw1flows3:  table=??(ls_out_acl_eval    ), priority=2001 , match=(reg0[[8]] == 1 && 
(outport == @pg0 && ip)), action=(reg8[[16]] = 1; next;)
  sw1flows3:  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[10]] == 1 && (outport 
== @pg0 && ip4 && udp)), action=(reg8[[18]] = 1; ct_commit { ct_mark.blocked = 1; 
ct_label.obs_point_id = 0; }; next;)
  sw1flows3:  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[9]] == 1 && (outport 
== @pg0 && ip4 && udp)), action=(reg8[[18]] = 1; next;)
@@ -2715,8 +2715,8 @@ check ovn-nbctl --wait=sb \
      -- acl-add ls from-lport 2 "udp" allow-related \
      -- acl-add ls to-lport 2 "udp" allow-related
  AT_CHECK([ovn-sbctl lflow-list ls | grep -e ls_in_acl_hint -e ls_out_acl_hint 
-e ls_in_acl -e ls_out_acl | grep 'ct\.' | ovn_strip_lflows], [0], [dnl
-  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !ct.est), 
action=(reg0[[1]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !ct.est), 
action=(next;)
+  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new 
&& !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && !ct.new && 
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; 
reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && 
ct_mark.allow_established == 1), action=(reg0[[21]] = 1; reg8[[16]] = 1; next;)
@@ -2726,10 +2726,10 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e 
ls_in_acl_hint -e ls_out_acl_hint -e
    table=??(ls_in_acl_hint     ), priority=3    , match=(!ct.est), 
action=(reg0[[9]] = 1; next;)
    table=??(ls_in_acl_hint     ), priority=4    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;)
    table=??(ls_in_acl_hint     ), priority=5    , match=(!ct.trk), 
action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && !ct.est), 
action=(reg0[[1]] = 1; next;)
-  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && !ct.est), 
action=(next;)
+  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
    table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel && !ct.new 
&& !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;)
    table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel && !ct.new && 
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
    table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && 
ct_mark.allow_established == 1), action=(reg8[[16]] = 1; next;)
@@ -2739,8 +2739,8 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e 
ls_in_acl_hint -e ls_out_acl_hint -e
    table=??(ls_out_acl_hint    ), priority=3    , match=(!ct.est), 
action=(reg0[[9]] = 1; next;)
    table=??(ls_out_acl_hint    ), priority=4    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;)
    table=??(ls_out_acl_hint    ), priority=5    , match=(!ct.trk), 
action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_out_acl_hint    ), priority=6    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_out_acl_hint    ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
+  table=??(ls_out_acl_hint    ), priority=6    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_out_acl_hint    ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
  ])
AS_BOX([Check match ct_state with load balancer]) 
@@ -2756,9 +2756,9 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e 
ls_in_acl_hint -e ls_out_acl_hint -e
    table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), 
action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[21]] == 1), 
action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=0    , match=(1), action=(next;)
-  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !ct.est), 
action=(reg0[[1]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && 
(ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !ct.est), 
action=(next;)
+  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && 
(ip)), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 && 
(ip)), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new 
&& !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
@@ -2772,12 +2772,12 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e 
ls_in_acl_hint -e ls_out_acl_hint -e
    table=??(ls_in_acl_hint     ), priority=3    , match=(!ct.est), 
action=(reg0[[9]] = 1; next;)
    table=??(ls_in_acl_hint     ), priority=4    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;)
    table=??(ls_in_acl_hint     ), priority=5    , match=(!ct.trk), 
action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
    table=??(ls_out_acl_eval    ), priority=0    , match=(1), action=(next;)
-  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && !ct.est), 
action=(reg0[[1]] = 1; next;)
-  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
-  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] == 1 && 
(ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && !ct.est), 
action=(next;)
+  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] == 1 && 
(ip)), action=(reg8[[16]] = 1; next;)
    table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]] == 1 && 
(ip)), action=(reg8[[16]] = 1; next;)
    table=??(ls_out_acl_eval    ), priority=34000, match=(eth.src == 
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
    table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel && !ct.new 
&& !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;)
@@ -2791,8 +2791,8 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e 
ls_in_acl_hint -e ls_out_acl_hint -e
    table=??(ls_out_acl_hint    ), priority=3    , match=(!ct.est), 
action=(reg0[[9]] = 1; next;)
    table=??(ls_out_acl_hint    ), priority=4    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;)
    table=??(ls_out_acl_hint    ), priority=5    , match=(!ct.trk), 
action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_out_acl_hint    ), priority=6    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_out_acl_hint    ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
+  table=??(ls_out_acl_hint    ), priority=6    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_out_acl_hint    ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
  ])
check ovn-nbctl --wait=sb clear logical_switch ls acls 
@@ -4912,7 +4912,7 @@ ovn-sbctl dump-flows sw0 > sw0flows
  AT_CAPTURE_FILE([sw0flows])
AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl 
-  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 
1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
+  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] 
= 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
    table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[8]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 
1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
  ])
  AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
@@ -4922,7 +4922,7 @@ AT_CHECK([grep "ls_in_stateful" sw0flows | 
ovn_strip_lflows], [0], [dnl
  ])
AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl 
-  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 
1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
+  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] 
= 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
    table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[8]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 
1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
  ])
  AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
@@ -4939,8 +4939,8 @@ ovn-sbctl dump-flows sw0 > sw0flows
  AT_CAPTURE_FILE([sw0flows])
AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl 
-  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 
1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
-  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] == 1 && 
(udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] 
= 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
+  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] == 1 && 
(udp)), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[8]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 
1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
    table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[8]] == 1 && 
(udp)), action=(reg8[[16]] = 1; next;)
  ])
@@ -4951,8 +4951,8 @@ AT_CHECK([grep "ls_in_stateful" sw0flows | 
ovn_strip_lflows], [0], [dnl
  ])
AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl 
-  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 
1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
-  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] == 1 && 
(udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 1234; reg8[[0..7]] 
= 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
+  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] == 1 && 
(udp)), action=(reg8[[16]] = 1; next;)
    table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[8]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 1234; reg9 = 
1234; reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
    table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[8]] == 1 && 
(udp)), action=(reg8[[16]] = 1; next;)
  ])
@@ -4970,7 +4970,7 @@ ovn-sbctl dump-flows sw0 > sw0flows
  AT_CAPTURE_FILE([sw0flows])
AT_CHECK([grep -w "ls_in_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl 
-  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] == 1 && 
(udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] == 1 && 
(udp)), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[8]] == 1 && 
(udp)), action=(reg8[[16]] = 1; next;)
  ])
  AT_CHECK([grep "ls_in_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
@@ -4980,7 +4980,7 @@ AT_CHECK([grep "ls_in_stateful" sw0flows | 
ovn_strip_lflows], [0], [dnl
  ])
AT_CHECK([grep -w "ls_out_acl_eval" sw0flows | grep 2002 | ovn_strip_lflows], [0], [dnl 
-  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] == 1 && 
(udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] == 1 && 
(udp)), action=(reg8[[16]] = 1; next;)
    table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[8]] == 1 && 
(udp)), action=(reg8[[16]] = 1; next;)
  ])
  AT_CHECK([grep "ls_out_stateful" sw0flows | ovn_strip_lflows], [0], [dnl
@@ -8109,13 +8109,13 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" 
lsflows | ovn_strip_lflo
    table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), 
action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[21]] == 1), 
action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=0    , match=(1), action=(next;)
-  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !ct.est), 
action=(reg0[[1]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !ct.est), 
action=(next;)
+  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=2001 , match=(reg0[[10]] == 1 && 
(ip4)), action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked = 1; ct_label.obs_point_id 
= 0; }; next;)
    table=??(ls_in_acl_eval     ), priority=2001 , match=(reg0[[9]] == 1 && 
(ip4)), action=(reg8[[17]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] == 1 && (ip4 
&& tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] == 1 && (ip4 
&& tcp)), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[8]] == 1 && (ip4 
&& tcp)), action=(reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=2003 , match=(reg0[[7]] == 1 && (ip4 
&& icmp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=2003 , match=(reg0[[7]] == 1 && (ip4 
&& icmp)), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=2003 , match=(reg0[[8]] == 1 && (ip4 
&& icmp)), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=2004 , match=(reg0[[10]] == 1 && (ip4 
&& ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked = 1; 
ct_label.obs_point_id = 0; }; next;)
    table=??(ls_in_acl_eval     ), priority=2004 , match=(reg0[[9]] == 1 && (ip4 
&& ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; next;)
@@ -8131,8 +8131,8 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" 
lsflows | ovn_strip_lflo
    table=??(ls_in_acl_hint     ), priority=3    , match=(!ct.est), 
action=(reg0[[9]] = 1; next;)
    table=??(ls_in_acl_hint     ), priority=4    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;)
    table=??(ls_in_acl_hint     ), priority=5    , match=(!ct.trk), 
action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
  ])
AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl 
@@ -8166,9 +8166,9 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" 
lsflows | ovn_strip_lflo
    table=??(ls_in_acl_after_lb_eval), priority=0    , match=(1), action=(next;)
    table=??(ls_in_acl_after_lb_eval), priority=2001 , match=(reg0[[10]] == 1 
&& (ip4)), action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked = 1; 
ct_label.obs_point_id = 0; }; next;)
    table=??(ls_in_acl_after_lb_eval), priority=2001 , match=(reg0[[9]] == 1 && 
(ip4)), action=(reg8[[17]] = 1; next;)
-  table=??(ls_in_acl_after_lb_eval), priority=2002 , match=(reg0[[7]] == 1 && (ip4 
&& tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_after_lb_eval), priority=2002 , match=(reg0[[7]] == 1 && (ip4 
&& tcp)), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_after_lb_eval), priority=2002 , match=(reg0[[8]] == 1 && (ip4 
&& tcp)), action=(reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_after_lb_eval), priority=2003 , match=(reg0[[7]] == 1 && (ip4 
&& icmp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_after_lb_eval), priority=2003 , match=(reg0[[7]] == 1 && (ip4 
&& icmp)), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_after_lb_eval), priority=2003 , match=(reg0[[8]] == 1 && (ip4 
&& icmp)), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_after_lb_eval), priority=2004 , match=(reg0[[10]] == 1 && (ip4 
&& ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; ct_commit { ct_mark.blocked = 1; 
ct_label.obs_point_id = 0; }; next;)
    table=??(ls_in_acl_after_lb_eval), priority=2004 , match=(reg0[[9]] == 1 && (ip4 
&& ip4.dst == 10.0.0.2)), action=(reg8[[17]] = 1; next;)
@@ -8176,8 +8176,8 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" 
lsflows | ovn_strip_lflo
    table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), 
action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[21]] == 1), 
action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=0    , match=(1), action=(next;)
-  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !ct.est), 
action=(reg0[[1]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !ct.est), 
action=(next;)
+  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new 
&& !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && !ct.new && 
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; 
reg8[[16]] = 1; next;)
@@ -8190,8 +8190,8 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" 
lsflows | ovn_strip_lflo
    table=??(ls_in_acl_hint     ), priority=3    , match=(!ct.est), 
action=(reg0[[9]] = 1; next;)
    table=??(ls_in_acl_hint     ), priority=4    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;)
    table=??(ls_in_acl_hint     ), priority=5    , match=(!ct.trk), 
action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
  ])
AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl 
@@ -8231,11 +8231,11 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" 
lsflows | ovn_strip_lflo
    table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), 
action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[21]] == 1), 
action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=0    , match=(1), action=(next;)
-  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !ct.est), 
action=(reg0[[1]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] == 1 && (ip4 
&& tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !ct.est), 
action=(next;)
+  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[7]] == 1 && (ip4 
&& tcp)), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=2002 , match=(reg0[[8]] == 1 && (ip4 
&& tcp)), action=(reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=2003 , match=(reg0[[7]] == 1 && (ip4 
&& icmp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=2003 , match=(reg0[[7]] == 1 && (ip4 
&& icmp)), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=2003 , match=(reg0[[8]] == 1 && (ip4 
&& icmp)), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new 
&& !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
@@ -8249,8 +8249,8 @@ AT_CHECK([grep -e "ls_in_acl.*eval" -e "ls_in_acl_hint" 
lsflows | ovn_strip_lflo
    table=??(ls_in_acl_hint     ), priority=3    , match=(!ct.est), 
action=(reg0[[9]] = 1; next;)
    table=??(ls_in_acl_hint     ), priority=4    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;)
    table=??(ls_in_acl_hint     ), priority=5    , match=(!ct.trk), 
action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
  ])
AT_CHECK([grep -e "ls_in_lb " lsflows | ovn_strip_lflows], [0], [dnl 
@@ -8779,8 +8779,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
ovn_strip_lflows], [0], [
    table=??(ls_in_acl_after_lb_sample), priority=0    , match=(1), 
action=(next;)
    table=??(ls_in_acl_eval     ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !ct.est), 
action=(next;)
-  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
-  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && (ip4 
&& tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && (ip4 
&& tcp)), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 && (ip4 
&& tcp)), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new 
&& !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
@@ -8794,8 +8794,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
ovn_strip_lflows], [0], [
    table=??(ls_in_acl_hint     ), priority=3    , match=(!ct.est), 
action=(reg0[[9]] = 1; next;)
    table=??(ls_in_acl_hint     ), priority=4    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;)
    table=??(ls_in_acl_hint     ), priority=5    , match=(!ct.trk), 
action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
    table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_pre_acl      ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_pre_acl      ), priority=100  , match=(ip), 
action=(reg0[[0]] = 1; next;)
@@ -8809,7 +8809,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
ovn_strip_lflows], [0], [
    table=??(ls_out_acl_action  ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 
0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst 
<-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=??); };)
    table=??(ls_out_acl_eval    ), priority=0    , match=(1), action=(next;)
    table=??(ls_out_acl_eval    ), priority=1    , match=(ip && !ct.est), 
action=(next;)
-  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
    table=??(ls_out_acl_eval    ), priority=34000, match=(eth.src == 
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
    table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel && !ct.new 
&& !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;)
    table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel && !ct.new && 
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
@@ -8822,8 +8822,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
ovn_strip_lflows], [0], [
    table=??(ls_out_acl_hint    ), priority=3    , match=(!ct.est), 
action=(reg0[[9]] = 1; next;)
    table=??(ls_out_acl_hint    ), priority=4    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;)
    table=??(ls_out_acl_hint    ), priority=5    , match=(!ct.trk), 
action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_out_acl_hint    ), priority=6    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_out_acl_hint    ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
+  table=??(ls_out_acl_hint    ), priority=6    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_out_acl_hint    ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
    table=??(ls_out_acl_sample  ), priority=0    , match=(1), action=(next;)
    table=??(ls_out_pre_acl     ), priority=0    , match=(1), action=(next;)
    table=??(ls_out_pre_acl     ), priority=100  , match=(ip), 
action=(reg0[[0]] = 1; next;)
@@ -8973,7 +8973,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
ovn_strip_lflows], [0], [
    table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[17]] == 
1), action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; /* drop */)
    table=??(ls_in_acl_after_lb_action), priority=1000 , match=(reg8[[18]] == 1), 
action=(reg8[[16]] = 0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> 
eth.src; ip.dst <-> ip.src; is implicit. */ outport <-> inport; 
next(pipeline=egress,table=??); };)
    table=??(ls_in_acl_after_lb_eval), priority=0    , match=(1), action=(next;)
-  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (ip4 
&& tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && (ip4 
&& tcp)), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && (ip4 
&& tcp)), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || 
nd_rs || mldv1 || mldv2), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[[17]] == 1), 
action=(reg8[[16]] = 1; next;)
@@ -8981,7 +8981,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
ovn_strip_lflows], [0], [
    table=??(ls_in_acl_after_lb_sample), priority=0    , match=(1), 
action=(next;)
    table=??(ls_in_acl_eval     ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !ct.est), 
action=(next;)
-  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new 
&& !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && !ct.new && 
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; 
reg8[[16]] = 1; next;)
@@ -8994,8 +8994,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
ovn_strip_lflows], [0], [
    table=??(ls_in_acl_hint     ), priority=3    , match=(!ct.est), 
action=(reg0[[9]] = 1; next;)
    table=??(ls_in_acl_hint     ), priority=4    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;)
    table=??(ls_in_acl_hint     ), priority=5    , match=(!ct.trk), 
action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
    table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_pre_acl      ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_pre_acl      ), priority=100  , match=(ip), 
action=(reg0[[0]] = 1; next;)
@@ -9009,7 +9009,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
ovn_strip_lflows], [0], [
    table=??(ls_out_acl_action  ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 
0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst 
<-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=??); };)
    table=??(ls_out_acl_eval    ), priority=0    , match=(1), action=(next;)
    table=??(ls_out_acl_eval    ), priority=1    , match=(ip && !ct.est), 
action=(next;)
-  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
    table=??(ls_out_acl_eval    ), priority=34000, match=(eth.src == 
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
    table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel && !ct.new 
&& !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;)
    table=??(ls_out_acl_eval    ), priority=65532, match=(ct.est && !ct.rel && !ct.new && 
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[[16]] = 1; next;)
@@ -9022,8 +9022,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
ovn_strip_lflows], [0], [
    table=??(ls_out_acl_hint    ), priority=3    , match=(!ct.est), 
action=(reg0[[9]] = 1; next;)
    table=??(ls_out_acl_hint    ), priority=4    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;)
    table=??(ls_out_acl_hint    ), priority=5    , match=(!ct.trk), 
action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_out_acl_hint    ), priority=6    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_out_acl_hint    ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
+  table=??(ls_out_acl_hint    ), priority=6    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_out_acl_hint    ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
    table=??(ls_out_acl_sample  ), priority=0    , match=(1), action=(next;)
    table=??(ls_out_pre_acl     ), priority=0    , match=(1), action=(next;)
    table=??(ls_out_pre_acl     ), priority=100  , match=(ip), 
action=(reg0[[0]] = 1; next;)
@@ -9179,7 +9179,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
ovn_strip_lflows], [0], [
    table=??(ls_in_acl_after_lb_sample), priority=0    , match=(1), 
action=(next;)
    table=??(ls_in_acl_eval     ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_acl_eval     ), priority=1    , match=(ip && !ct.est), 
action=(next;)
-  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=34000, match=(eth.dst == 
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(!ct.est && ct.rel && !ct.new 
&& !ct.inv && ct_mark.blocked == 0), action=(reg0[[17]] = 1; reg8[[16]] = 1; ct_commit_nat;)
    table=??(ls_in_acl_eval     ), priority=65532, match=(ct.est && !ct.rel && !ct.new && 
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; reg0[[17]] = 1; 
reg8[[16]] = 1; next;)
@@ -9192,8 +9192,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
ovn_strip_lflows], [0], [
    table=??(ls_in_acl_hint     ), priority=3    , match=(!ct.est), 
action=(reg0[[9]] = 1; next;)
    table=??(ls_in_acl_hint     ), priority=4    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;)
    table=??(ls_in_acl_hint     ), priority=5    , match=(!ct.trk), 
action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=6    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_hint     ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
    table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_pre_acl      ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_pre_acl      ), priority=100  , match=(ip), 
action=(reg0[[0]] = 1; next;)
@@ -9207,8 +9207,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
ovn_strip_lflows], [0], [
    table=??(ls_out_acl_action  ), priority=1000 , match=(reg8[[18]] == 1), action=(reg8[[16]] = 
0; reg8[[17]] = 0; reg8[[18]] = 0; reg0 = 0; reject { /* eth.dst <-> eth.src; ip.dst 
<-> ip.src; is implicit. */ outport <-> inport; next(pipeline=ingress,table=??); };)
    table=??(ls_out_acl_eval    ), priority=0    , match=(1), action=(next;)
    table=??(ls_out_acl_eval    ), priority=1    , match=(ip && !ct.est), 
action=(next;)
-  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg0[[1]] = 1; reg8[[16]] = 1; next;)
-  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] == 1 && (ip4 
&& tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=1    , match=(ip && ct.est && 
ct_mark.blocked == 1), action=(reg8[[16]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] == 1 && (ip4 
&& tcp)), action=(reg8[[16]] = 1; next;)
    table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]] == 1 && (ip4 
&& tcp)), action=(reg8[[16]] = 1; next;)
    table=??(ls_out_acl_eval    ), priority=34000, match=(eth.src == 
$svc_monitor_mac), action=(reg8[[16]] = 1; next;)
    table=??(ls_out_acl_eval    ), priority=65532, match=(!ct.est && ct.rel && !ct.new 
&& !ct.inv && ct_mark.blocked == 0), action=(reg8[[16]] = 1; ct_commit_nat;)
@@ -9222,8 +9222,8 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" | 
ovn_strip_lflows], [0], [
    table=??(ls_out_acl_hint    ), priority=3    , match=(!ct.est), 
action=(reg0[[9]] = 1; next;)
    table=??(ls_out_acl_hint    ), priority=4    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;)
    table=??(ls_out_acl_hint    ), priority=5    , match=(!ct.trk), 
action=(reg0[[8]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_out_acl_hint    ), priority=6    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
-  table=??(ls_out_acl_hint    ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
+  table=??(ls_out_acl_hint    ), priority=6    , match=(!ct.new && ct.est && !ct.rpl 
&& ct_mark.blocked == 1), action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_out_acl_hint    ), priority=7    , match=(ct.new && !ct.est), 
action=(reg0[[7]] = 1; reg0[[9]] = 1; reg0[[1]] = 1; next;)
    table=??(ls_out_acl_sample  ), priority=0    , match=(1), action=(next;)
    table=??(ls_out_pre_acl     ), priority=0    , match=(1), action=(next;)
    table=??(ls_out_pre_acl     ), priority=100  , match=(ip), 
action=(reg0[[0]] = 1; next;)
@@ -13197,7 +13197,7 @@ check_uuid ovn-nbctl --wait=sb \
    --id=@sample2 create Sample collector="$collector1 $collector2" 
metadata=4302 -- \
    --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" 
allow-related
  AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval 
-e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e 
reg3 -e reg9 -e sample], [0], [dnl
-  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; 
reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 
0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
    table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; 
reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
    table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_acl_sample   ), priority=1100 , match=(ip && ct.new && reg3 
== 4301), 
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
 next;)
@@ -13230,7 +13230,7 @@ check_uuid ovn-nbctl --wait=sb \
    --id=@sample1 create Sample collector="$collector1 $collector2" 
metadata=4301 -- \
    --sample-new=@sample1 acl-add ls from-lport 1 "1" allow-related
  AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval 
-e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e 
reg3 -e reg9 -e sample], [0], [dnl
-  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; 
reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; 
reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
    table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; 
reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
    table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_acl_sample   ), priority=1100 , match=(ip && ct.new && reg3 
== 4301), 
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
 next;)
@@ -13260,7 +13260,7 @@ check_uuid ovn-nbctl --wait=sb \
    --id=@sample2 create Sample collector="$collector1 $collector2" 
metadata=4302 -- \
    --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 
"1" allow-related
  AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e 
ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | 
ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
-  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; 
reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
+  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 
0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
    table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; 
reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
    table=??(ls_in_acl_after_lb_sample), priority=0    , match=(1), 
action=(next;)
    table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new && 
reg3 == 4301), 
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
 next;)
@@ -13293,7 +13293,7 @@ check_uuid ovn-nbctl --wait=sb \
    --id=@sample1 create Sample collector="$collector1 $collector2" 
metadata=4301 -- \
    --apply-after-lb --sample-new=@sample1 acl-add ls from-lport 1 "1" 
allow-related
  AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e 
ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | 
ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
-  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; 
reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
+  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; 
reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
    table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; 
reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
    table=??(ls_in_acl_after_lb_sample), priority=0    , match=(1), 
action=(next;)
    table=??(ls_in_acl_after_lb_sample), priority=1100 , match=(ip && ct.new && 
reg3 == 4301), 
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
 next;)
@@ -13325,7 +13325,7 @@ check_uuid ovn-nbctl --wait=sb \
  AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval 
-e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 
-e reg9 -e sample], [0], [dnl
    table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_acl_sample   ), priority=1200 , match=(ip && ct.trk && (ct.est || ct.rel) && 
ct.rpl && ct_label.obs_point_id == 4302 && ct_label.obs_unused == 0), 
action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);sample(probability=65535,collector_set=??,obs_domain=43,obs_point=4302);
 next;)
-  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; 
reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
+  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 
0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
    table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; 
reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
    table=??(ls_out_acl_sample  ), priority=0    , match=(1), action=(next;)
    table=??(ls_out_acl_sample  ), priority=1100 , match=(ip && (ct.new || !ct.trk) 
&& reg3 == 4301), 
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
 next;)
@@ -13358,7 +13358,7 @@ check_uuid ovn-nbctl --wait=sb \
    --sample-new=@sample1 acl-add ls to-lport 1 "1" allow-related
  AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval 
-e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 
-e reg9 -e sample], [0], [dnl
    table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
-  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; 
reg8[[0..7]] = 0; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
+  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; 
reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
    table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 0; 
reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
    table=??(ls_out_acl_sample  ), priority=0    , match=(1), action=(next;)
    table=??(ls_out_acl_sample  ), priority=1100 , match=(ip && (ct.new || !ct.trk) 
&& reg3 == 4301), 
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301);
 next;)
@@ -13418,7 +13418,7 @@ check_uuid ovn-nbctl --wait=sb                          
               \
    --id=@sample2 create Sample collector="$collector1" metadata=4302 -- \
    --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" 
allow-related
  AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval 
-e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e 
reg3 -e reg9 -e sample], [0], [dnl
-  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; 
reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;)
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 
1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;)
    table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; 
reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;)
    table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_acl_sample   ), priority=1100 , match=(ip && ct.new && reg3 
== 4301), action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=4301); 
next;)
@@ -13456,7 +13456,7 @@ check_uuid ovn-nbctl --wait=sb                          
               \
    --id=@sample2 create Sample collector="$collector1" metadata=4302 -- \
    --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 "1" 
allow-related
  AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval 
-e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e 
reg3 -e reg9 -e sample], [0], [dnl
-  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; 
reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;)
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 
1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;)
    table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; 
reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 0; next;)
    table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_acl_sample   ), priority=1000 , match=(ip && ct.new && reg8[[0..7]] 
== 1 && reg8[[19..20]] == 0), 
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;)
@@ -13491,7 +13491,7 @@ check_uuid ovn-nbctl --wait=sb                          
               \
    --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \
    --sample-new=@sample1 acl-add ls from-lport 1 "1" allow-related
  AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_sample -e ls_in_acl_eval 
-e ls_out_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e 
reg3 -e reg9 -e sample], [0], [dnl
-  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; 
reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
+  table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; 
reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
    table=??(ls_in_acl_eval     ), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; 
reg8[[8..15]] = 0; reg8[[19..20]] = 0; next;)
    table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_acl_sample   ), priority=1000 , match=(ip && ct.new && reg8[[0..7]] 
== 1 && reg8[[19..20]] == 0), 
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;)
@@ -13524,7 +13524,7 @@ check_uuid ovn-nbctl --wait=sb                          
               \
    --id=@sample2 create Sample collector="$collector1" metadata=4302 -- \
    --apply-after-lb --sample-new=@sample1 --sample-est=@sample2 acl-add ls from-lport 1 
"1" allow-related
  AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e 
ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | 
ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
-  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; 
reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 1; next;)
+  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 
1; reg8[[8..15]] = 1; reg8[[19..20]] = 1; next;)
    table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; 
reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 1; next;)
    table=??(ls_in_acl_after_lb_sample), priority=0    , match=(1), 
action=(next;)
    table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.new && 
reg8[[0..7]] == 1 && reg8[[19..20]] == 1), 
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;)
@@ -13559,7 +13559,7 @@ check_uuid ovn-nbctl --wait=sb                          
               \
    --id=@sample1 create Sample collector="$collector1" metadata=4301 -- \
    --apply-after-lb --sample-new=@sample1 acl-add ls from-lport 1 "1" 
allow-related
  AT_CHECK([ovn-sbctl lflow-list | grep -e ls_in_acl_after_lb_sample -e 
ls_in_acl_after_lb_eval -e ls_out_acl_sample | ovn_strip_lflows | 
ovn_strip_collector_set | grep -e reg3 -e reg9 -e sample], [0], [dnl
-  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; 
reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
+  table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; 
reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
    table=??(ls_in_acl_after_lb_eval), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; 
reg8[[8..15]] = 0; reg8[[19..20]] = 1; next;)
    table=??(ls_in_acl_after_lb_sample), priority=0    , match=(1), 
action=(next;)
    table=??(ls_in_acl_after_lb_sample), priority=1000 , match=(ip && ct.new && 
reg8[[0..7]] == 1 && reg8[[19..20]] == 1), 
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;)
@@ -13594,7 +13594,7 @@ check_uuid ovn-nbctl --wait=sb                          
               \
  AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval 
-e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 
-e reg9 -e sample], [0], [dnl
    table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
    table=??(ls_in_acl_sample   ), priority=1000 , match=(ip && ct.trk && (ct.est || ct.rel) && 
ct_label.obs_unused == 0 && ct.rpl && ct_mark.obs_collector_id == 1), 
action=(sample(probability=65535,collector_set=??,obs_domain=43,obs_point=ct_label.obs_point_id); next;)
-  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; 
reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 2; next;)
+  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; reg8[[0..7]] = 
1; reg8[[8..15]] = 1; reg8[[19..20]] = 2; next;)
    table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 4302; 
reg8[[0..7]] = 1; reg8[[8..15]] = 1; reg8[[19..20]] = 2; next;)
    table=??(ls_out_acl_sample  ), priority=0    , match=(1), action=(next;)
    table=??(ls_out_acl_sample  ), priority=1000 , match=(ip && (ct.new || !ct.trk) && 
reg8[[0..7]] == 1 && reg8[[19..20]] == 2), 
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;)
@@ -13629,7 +13629,7 @@ check_uuid ovn-nbctl --wait=sb                          
               \
    --sample-new=@sample1 acl-add ls to-lport 1 "1" allow-related
  AT_CHECK([ovn-sbctl lflow-list | grep -e ls_out_acl_sample -e ls_out_acl_eval 
-e ls_in_acl_sample | ovn_strip_lflows | ovn_strip_collector_set | grep -e reg3 
-e reg9 -e sample], [0], [dnl
    table=??(ls_in_acl_sample   ), priority=0    , match=(1), action=(next;)
-  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; 
reg8[[0..7]] = 1; reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
+  table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[7]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; 
reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
    table=??(ls_out_acl_eval    ), priority=1001 , match=(reg0[[8]] == 1 && 
(1)), action=(reg8[[16]] = 1; reg0[[13]] = 1; reg3 = 4301; reg9 = 0; reg8[[0..7]] = 1; 
reg8[[8..15]] = 0; reg8[[19..20]] = 2; next;)
    table=??(ls_out_acl_sample  ), priority=0    , match=(1), action=(next;)
    table=??(ls_out_acl_sample  ), priority=1000 , match=(ip && (ct.new || !ct.trk) && 
reg8[[0..7]] == 1 && reg8[[19..20]] == 2), 
action=(sample(probability=65535,collector_set=??,obs_domain=42,obs_point=reg3); next;)
@@ -14950,17 +14950,17 @@ check ovn-nbctl acl-add sw to-lport 1002 "ip" 
allow-related
  check ovn-nbctl --apply-after-lb acl-add sw from-lport 1003 "udp" 
allow-related
AT_CHECK([ovn-sbctl lflow-list sw | grep ls_in_acl_eval | grep priority=2001 | ovn_strip_lflows], [0], [dnl 
-  table=??(ls_in_acl_eval     ), priority=2001 , match=(reg0[[7]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_eval     ), priority=2001 , match=(reg0[[7]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=2001 , match=(reg0[[8]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; next;)
  ])
AT_CHECK([ovn-sbctl lflow-list sw | grep ls_in_acl_after_lb_eval | grep priority=2003 | ovn_strip_lflows], [0], [dnl 
-  table=??(ls_in_acl_after_lb_eval), priority=2003 , match=(reg0[[7]] == 1 && 
(udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_in_acl_after_lb_eval), priority=2003 , match=(reg0[[7]] == 1 && 
(udp)), action=(reg8[[16]] = 1; next;)
    table=??(ls_in_acl_after_lb_eval), priority=2003 , match=(reg0[[8]] == 1 && 
(udp)), action=(reg8[[16]] = 1; next;)
  ])
AT_CHECK([ovn-sbctl lflow-list sw | grep ls_out_acl_eval | grep priority=2002 | ovn_strip_lflows], [0], [dnl 
-  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] == 1 && 
(ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; next;)
+  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] == 1 && 
(ip)), action=(reg8[[16]] = 1; next;)
    table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[8]] == 1 && 
(ip)), action=(reg8[[16]] = 1; next;)
  ])
@@ -14980,17 +14980,17 @@ after_lb_id=$(ovn-sbctl get ACL_ID $after_lb_uuid id) dnl Now we should see the registers being set to the appropriate values. 
  AT_CHECK_UNQUOTED([ovn-sbctl lflow-list sw | grep ls_in_acl_eval | grep 
priority=2001 | ovn_strip_lflows], [0], [dnl
-  table=??(ls_in_acl_eval     ), priority=2001 , match=(reg0[[7]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg2[[16..31]] = $ingress_id; reg0[[20]] 
= 1; next;)
+  table=??(ls_in_acl_eval     ), priority=2001 , match=(reg0[[7]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; reg2[[16..31]] = $ingress_id; reg0[[20]] = 1; next;)
    table=??(ls_in_acl_eval     ), priority=2001 , match=(reg0[[8]] == 1 && 
(tcp)), action=(reg8[[16]] = 1; next;)
  ])
AT_CHECK_UNQUOTED([ovn-sbctl lflow-list sw | grep ls_in_acl_after_lb_eval | grep priority=2003 | ovn_strip_lflows], [0], [dnl 
-  table=??(ls_in_acl_after_lb_eval), priority=2003 , match=(reg0[[7]] == 1 && 
(udp)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg2[[16..31]] = $after_lb_id; 
reg0[[20]] = 1; next;)
+  table=??(ls_in_acl_after_lb_eval), priority=2003 , match=(reg0[[7]] == 1 && 
(udp)), action=(reg8[[16]] = 1; reg2[[16..31]] = $after_lb_id; reg0[[20]] = 1; next;)
    table=??(ls_in_acl_after_lb_eval), priority=2003 , match=(reg0[[8]] == 1 && 
(udp)), action=(reg8[[16]] = 1; next;)
  ])
AT_CHECK_UNQUOTED([ovn-sbctl lflow-list sw | grep ls_out_acl_eval | grep priority=2002 | ovn_strip_lflows], [0], [dnl 
-  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] == 1 && 
(ip)), action=(reg8[[16]] = 1; reg0[[1]] = 1; reg2[[16..31]] = $egress_id; reg0[[20]] = 
1; next;)
+  table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[7]] == 1 && 
(ip)), action=(reg8[[16]] = 1; reg2[[16..31]] = $egress_id; reg0[[20]] = 1; next;)
    table=??(ls_out_acl_eval    ), priority=2002 , match=(reg0[[8]] == 1 && 
(ip)), action=(reg8[[16]] = 1; next;)
  ])
diff --git a/tests/system-ovn.at b/tests/system-ovn.at 
index 5fa740cfb..9faadfb1d 100644
--- a/tests/system-ovn.at
+++ b/tests/system-ovn.at
@@ -17618,3 +17618,123 @@ OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port 
patch-.*/d
  /connection dropped.*/d"])
  AT_CLEANUP
  ])
+
+
+OVN_FOR_EACH_NORTHD([
+AT_SETUP([conntrack on pass ACLs])
+
+CHECK_CONNTRACK()
+CHECK_CONNTRACK_NAT()
+ovn_start
+OVS_TRAFFIC_VSWITCHD_START()
+ADD_BR([br-int])
+#
+# Set external-ids in br-int needed for ovn-controller
+check ovs-vsctl \
+        -- set Open_vSwitch . external-ids:system-id=hv1 \
+        -- set Open_vSwitch . 
external-ids:ovn-remote=unix:$ovs_base/ovn-sb/ovn-sb.sock \
+        -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \
+        -- set Open_vSwitch . external-ids:ovn-encap-ip=169.0.0.1 \
+        -- set bridge br-int fail-mode=secure other-config:disable-in-band=true
+
+# Start ovn-controller
+start_daemon ovn-controller
+
+# Ensure that when stateful ACLs are present, a "pass"
+# action results in the packet being allowed (since we
+# do not have whatever that thing is called that
+# drops packets by default when using ACLs enabled). If
+# this is the final verdict of all ACL tiers, then the
+# packet should also be committed to conntrack, the same
+# as if an "allow" of "allow-related" verdict were final.
+
+check ovn-nbctl ls-add ls
+check ovn-nbctl lsp-add ls lsp1 \
+-- lsp-set-addresses lsp1 "f0:00:00:00:00:01 192.168.1.1"
+check ovn-nbctl lsp-add ls lsp2 \
+-- lsp-set-addresses lsp2 "f0:00:00:00:00:02 192.168.1.2"
+
+ADD_NAMESPACES(lsp1)
+ADD_VETH(lsp1, lsp1, br-int, "192.168.1.1/24", "f0:00:00:00:00:01", \
+         "192.168.1.100")
+
+ADD_NAMESPACES(lsp2)
+ADD_VETH(lsp2, lsp2, br-int, "192.168.1.2/24", "f0:00:00:00:00:02", \
+         "192.168.1.100")
+
+# First, set up a "pass" ACL by itself.
+check ovn-nbctl acl-add ls from-lport 1000 "ip4.src == 192.168.1.1" pass
+check ovn-nbctl acl-add ls to-lport 1000 "ip4.src == 192.168.1.2" pass
+
+# Ping should succeed since from-lport "pass" ACL is the only one matched.
+NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 192.168.1.2 | FORMAT_PING], \
+[0], [dnl
+3 packets transmitted, 3 received, 0% packet loss, time 0ms
+])
+
+# Ping the other way should also succeed since to-lport "pass" ACL is matched.
+NS_CHECK_EXEC([lsp2], [ping -q -c 3 -i 0.3 -w 2 192.168.1.1 | FORMAT_PING], \
+[0], [dnl
+3 packets transmitted, 3 received, 0% packet loss, time 0ms
+])
+
+# There should be no conntrack entries created since there are no stateful 
ACLs.
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.168.1.2) | \
+sed -e 's/zone=[[0-9]]*/zone=<cleared>/' | grep icmp], [1], [dnl
+])
+
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.168.1.1) | \
+sed -e 's/zone=[[0-9]]*/zone=<cleared>/' | grep icmp], [1], [dnl
+])
+
+# Now add an arbitrary stateful ACL to the mix. We'll never match on this
+# ACL, but its presence should change things.
+check ovn-nbctl acl-add ls from-lport 200 "ip4.src == 192.168.1.50" 
allow-related
+
+# Pings should still succeed.
+NS_CHECK_EXEC([lsp1], [ping -q -c 3 -i 0.3 -w 2 192.168.1.2 | FORMAT_PING], \
+[0], [dnl
+3 packets transmitted, 3 received, 0% packet loss, time 0ms
+])
+NS_CHECK_EXEC([lsp2], [ping -q -c 3 -i 0.3 -w 2 192.168.1.1 | FORMAT_PING], \
+[0], [dnl
+3 packets transmitted, 3 received, 0% packet loss, time 0ms
+])
+
+# Now there should be conntrack entries from the pings
+# We should have an entry for each direction of traffic in
+# each port's zone: a total of four.
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.168.1.2) | \
+sed -e 's/zone=[[0-9]]*/zone=<cleared>/' | grep icmp], [0], [dnl
+icmp,orig=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=8,code=0),reply=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=0,code=0),zone=<cleared>
+icmp,orig=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=8,code=0),reply=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=0,code=0),zone=<cleared>
+icmp,orig=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=8,code=0),reply=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=0,code=0),zone=<cleared>
+icmp,orig=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=8,code=0),reply=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=0,code=0),zone=<cleared>
+])
+
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.168.1.1) | \
+sed -e 's/zone=[[0-9]]*/zone=<cleared>/' | grep icmp], [0], [dnl
+icmp,orig=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=8,code=0),reply=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=0,code=0),zone=<cleared>
+icmp,orig=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=8,code=0),reply=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=0,code=0),zone=<cleared>
+icmp,orig=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=8,code=0),reply=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=0,code=0),zone=<cleared>
+icmp,orig=(src=192.168.1.2,dst=192.168.1.1,id=<cleared>,type=8,code=0),reply=(src=192.168.1.1,dst=192.168.1.2,id=<cleared>,type=0,code=0),zone=<cleared>
+])
+
+OVN_CLEANUP_CONTROLLER([hv1])
+
+as ovn-sb
+OVS_APP_EXIT_AND_WAIT([ovsdb-server])
+
+as ovn-nb
+OVS_APP_EXIT_AND_WAIT([ovsdb-server])
+
+as northd
+OVS_APP_EXIT_AND_WAIT([ovn-northd])
+
+as
+OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d
+/connection dropped.*/d"])
+
+AT_CLEANUP
+])


Regards,
Dumitru



_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to